Federal regulations are mandated to be adopted in final form by each of the agencies within six months after enactment of the law, that is, by no later than May12, 2000, to be effective six months thereafter. These regulations may narrow some of the more gaping exemptions and clarify others, but the regulators themselves are also empowered to open even more "as deemed consistent with the purposes" of the act. Significantly, the regulators are not explicitly permitted to create further exemptions from the requirements that financial institutions disclose their privacy policies to customers, however, they are broadly empowered to create new exemptions from the "opt out" rule. The enthusiasm of the regulators to clarify the scope and ambiguities of the new law, or to tighten uncertain standards will await agency rulemakings that are likely to draw far more than usual public attention to agency proceedings.

However, due to strong pressure from federal agencies and private sector industry groups, only public actions were covered by the statute; n85 it does not extend to cover actions by private entities. Although the act was originally intended to protect privacy concerns from the increasing use of computerized records, it failed to protect the biggest privacy intrusion today -- the collection of personal identifiable information by private sector entities.

THE COMPUTER PRIVACY MATCHING ACT OF 1988 FALLS SHORT OF THE GOAL OF PROTECTING PERSONAL INFORMATION

The Computer Matching Privacy Act falls short of protecting against detailed profiling of individuals in the private sector -- this legislation only binds the computer matching of federal agencies. Private marketing enterprises profitably buy and sell customer lists, which indicate interests and purchasing habits, providing detailed profiles of individuals and families. Many of the direct marketing intrusions into privacy result from the matching of various customer lists, making detailed profiling a popular option. And with the proliferation of computers and transactional data generated from matching, the marketing industry's use of this cost efficient method of gathering information has run rampant.

EXCEPTIONS BUILT IN TO STATUS QUO CONSUMER INFORMATION PRIVACY LAW IGNORE THE THREAT TO PRIVACY BY THE INTERNET

The federal privacy safeguards are honeycombed with exceptions, leaving the new regime, despite its reassuring public appearance, to be significantly less than comprehensive. Most conspicuously, the privacy provisions of the new law do not apply to all consumer information, but only to so-called "non-public personal information." The term appears broadly inclusive: encompassing all personally identifiable financial information that is provided to a financial institution by a customer, or results from any transaction with the customer, or is otherwise obtained by the financial institution. However, the term does not include information covered by one of several statutory exemptions.

Seemingly most enormous is the exemption of all "public information," which at least one legal commentator has already speculated may exclude any information available over the Internet. Moreover, all information "derived from" public information is exempted as well. Those exclusions, in particular, blithely ignore the substantial threat to privacy posed, not by access to specific bits of information, but rather by the compilation and sharing through [*214] modern technologies of otherwise available data affecting individuals - the development of which is arguably the greater threat to privacy, and is yet unaffected by the new law.

Other than on a handful of college campuses, the Net didn't exist in 1986 when the Electronic Communications Privacy Act was enacted. Written mainly to extend the protections against wiretapped telephone calls, the law divided electronic communications into "stored content" and "stored records."

"Back then, you didn't have real-time electronic communications like e-mail or chat rooms," said Terry Thompson, who specializes in technology-related business issues at Gallagher & Kennedy.

"The courts have tried to shoehorn these activities into ECPA, and they don't quite fit."

The result has been a confusing set of rules that alarm some privacy advocates. For example, police and other government agencies need a subpoena before they can read someone's e-mail, but the legal threshold is not as stringent as when a wiretap is requested.

Private parties can't get a subpoena to read e-mail, but they don't need one to ask an Internet service provider for the personal information, the "stored records," of its subscribers.